force SSL for all pages, but also set 301 redirects

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.
7 years ago
Because they want to make the Internet more secure, in mid-2016 Google began increasing the page rank of all websites that SSL encrypt their entire websites, and in 2017, they will begin penalizing those sites who do not.

I want to force SSL for my entire site and do not want to cause 404's for all my organic search traffic, so I am wondering if the best method is to change the value in the settings table as described in this post, or if just setting the "forceSSL" value to true in the web.config and defining my own redirect rule like below is the best choice.
     <rule name="Redirect to http" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
      <match url="*" negate="false" />
      <conditions logicalGrouping="MatchAny">
        <add input="{HTTPS}" pattern="off" />
      </conditions>
      <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Permanent" />
    </rule>


I'm running version 3.40 of nopCommerce.
Any advice is welcome-

Thanks,
Steve
An upvote on a helpful post means "thank you" in every language. I believe in this community. For every question I ask, I try to answer at least five others.
1
7 years ago
the "SecuritySettings.ForceSslForAllPages" setting is all that you need. If that is true, nopCommerce will do the redirect to https, if you access the page via http.
nop-payments.com provides free payment plugins for nopCommerce.
1
7 years ago
That much I understand, but is it also sending the 301 instruction for search engines so that they update my URL's in their index and do not continue listing my insecure URL's forever?
An upvote on a helpful post means "thank you" in every language. I believe in this community. For every question I ask, I try to answer at least five others.
0
7 years ago
embryo wrote:
That much I understand, but is it also sending the 301 instruction for search engines so that they update my URL's in their index and do not continue listing my insecure URL's forever?

I'm not sure about that, sorry. My SEO skills are quote low
nop-payments.com provides free payment plugins for nopCommerce.
0
7 years ago
Also, it seems to me that it would be much slower and inefficient to allow the client to open the site and create the threads and create a connection to the database to query the settings table to see the forceSSL setting and then redirect the user back to https and start over again...than it would be to let IIS catch the visitor as they enter the domain(web.config) and do the permanent redirect immediately.
Right?
An upvote on a helpful post means "thank you" in every language. I believe in this community. For every question I ask, I try to answer at least five others.
0
7 years ago
embryo wrote:
Also, it seems to me that it would be much slower and inefficient to allow the client to open the site and create the threads and create a connection to the database to query the settings table to see the forceSSL setting and then redirect the user back to https and start over again...than it would be to let IIS catch the visitor as they enter the domain(web.config) and do the permanent redirect immediately.
Right?


If we assume thats how they implemented it.. I bet there's some sort of cache there.. no one can think of that approach as being a good idea
nop-payments.com provides free payment plugins for nopCommerce.
0
7 years ago
nop-payments.com wrote:
Also, it seems to me that it would be much slower and inefficient to allow the client to open the site and create the threads and create a connection to the database to query the settings table to see the forceSSL setting and then redirect the user back to https and start over again...than it would be to let IIS catch the visitor as they enter the domain(web.config) and do the permanent redirect immediately.
Right?

If we assume thats how they implemented it.. I bet there's some sort of cache there.. no one can think of that approach as being a good idea


That's just it. I do not want to assume anything.

I'm hoping someone who knows for certain whether changing the setting in the admin area "Force SSL for all site pages:" ONLY updates the web.config here:

    <authentication mode="Forms">
      <forms name="NOPCOMMERCE.AUTH" loginUrl="~/login" protection="All" timeout="43200" path="/" requireSSL="TRUE" slidingExpiration="true" />
    </authentication>


..or if it ALSO adds something like this in the <rewrite> section:

     <rule name="Redirect to https" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
      <match url="*" negate="false" />
      <conditions logicalGrouping="MatchAny">
        <add input="{HTTPS}" pattern="off" />
      </conditions>
      <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Permanent" />
    </rule>


Anyone?.....anyone?....anyone?....Beuhler?
An upvote on a helpful post means "thank you" in every language. I believe in this community. For every question I ask, I try to answer at least five others.
0
7 years ago
I'm running 3.2 and it does not add anything to the <rewrite> node. I'm using rewritemaps and rules in that section and nothing changes.

The Force SSL works fine. However, it creates a 302 redirect. Our SEO consultant recommends using a 301 Permanent. My rule is below and it causes an infinite loop.

  <rule name="HTTP/S to HTTPS Redirect" enabled="true" stopProcessing="true">
        <match url="(.*)" />
        <conditions logicalGrouping="MatchAny">
            <add input="{HTTPS}" pattern="off" ignoreCase="true" />
        </conditions>
        <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
  </rule>

My simple solution may be to create two sites, and the first is bound to http and it does a permanent redirect to the HTTPS site.
0
7 years ago
ppatel wrote:

My simple solution may be to create two sites, and the first is bound to http and it does a permanent redirect to the HTTPS site.


I ended up just adding my own rewrites node and it works fine...301's are issued to the engines.

     <rule name="Redirect to https" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
      <match url="*" negate="false" />
      <conditions logicalGrouping="MatchAny">
        <add input="{HTTPS}" pattern="off" />
      </conditions>
      <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Permanent" />
    </rule>
An upvote on a helpful post means "thank you" in every language. I believe in this community. For every question I ask, I try to answer at least five others.
1
7 years ago
Did you keep the Force SSL to true? I had to uninstall a redirect plugin and it still did not work. I initially had Force SSL set to false and it still failed. I uninstalled the 301 redirects and set the Force SSL to true and now it works.

I'll reinstall the 301 plugins and confirm it still works.

Thanks for your help.
0
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.